#2660 closed defect (bug) (wontfix)
WordPress admin creates invalid ( netscape ) dbx-postmeta cookies on OSX + Safari, can cause apache segfault
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | major | Version: | 2.1 |
| Component: | General | Keywords: | cookie corrupt |
| Focuses: | Cc: |
Description
I came across this issue a while back, i thought it would be resolved as it was in the forums - but it wasn't, and theres no ticket either open or closed addressing it, so here are my notes:
I wrote a web services module to incorporate the TrackBack protocol into my mod_perl application
I started testing it using WordPress - the php blog software
It seems to have set a cookie (see details below) , that causes an automatic error in libapreq (accessed via the perl bindings), which can segfault apache ( libapreq isn't just used in perl, its the general Apache API for parsing cookies )
The error in the logs is :"Expected token not present"
The issue seems to be definitively caused by an issue in the way that wordpress encodes the cookie and safari sends it
http://wordpress.org/support/topic/52813
http://www.darcynorman.net/2005/12/21/upgrading-blog-to-wp-20-rc3
From the headers_in , it seems that WordPress includes raw-php code (instead of executing it), and either wordpress or safari doesn't escape the , in the cookies.
re netscape cookie draft:
( common standard - http://wp.netscape.com/newsref/std/cookie_spec.html )
"NAME=VALUE
This string is a sequence of characters excluding semi-colon, comma and white space. If there is a need to place such data in the name or value, some encoding method such as URL style %XX encoding is recommended, though no encoding is defined or required.
This is the only required attribute on the Set-Cookie header."
The RFCs regarding cookies don't have the restriction , but do use , and ; as a delimiter -- and most libraries code to the netscape standard.
The fix would be to just encode/escape the , on reading/writing cookies.
In production I see little opportunities this will affect me or any other user -- its not often that people use multiple languages & projects on the same domain.
the segfault, natually, occurs whether or not the code is wrapped in an eval block. an eval block didn't seem to catch the other error either (sorry, but i can't discern what it is)
I've enclosed a Data::Dumper representation of the the APR::Table headers_in atfer the cookie info. I'll be happy to pull it into any other format if needed
To recreate this, you can use:
- wordpress 2.0 -> 2.1
- mac osx 10.4.(5,6) + safari 2.0.3
- libapreq 2.07
- httpd 2.055
- Created
- 193189633
- Domain
- g5.local
- Expires
- 2007-02-14T23:47:13Z
- Name
- dbx-postmeta
- Path
- /
- Value
- grabit=0-,1-,2-,3-,4-,5-,6-&advancedstuff=0-,1+,2-
$headers_in = bless( {
'Accept' => '*/*',
'Accept-Language' => 'en',
'Accept-Encoding' => 'gzip, deflate',
'Cookie' => 'wordpressuser_c580712eb86cad2660b3601ac04202b2=admin; wordpresspass_c580712eb86cad2660b3601ac04202b2=7ebeeed42ef50720940f5b8db2f9db49; rs_session=59ae9b8b503e3af7d17b97e7f77f7ea5; dbx-postmeta=grabit=0-,1-,2-,3-,4-,5-,6-&advancedstuff=0-,1+,2-',
'User-Agent' => 'Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/417.9 (KHTML, like Gecko) Safari/417.8',
'Connection' => 'keep-alive',
'Host' => 'g5.local:8082'
}, 'APR::Table' );
Can anyone reproduce this?